Vulnerability Description
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | < 2.44 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/95963Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2607Issue Tracking
- http://www.securityfocus.com/bid/95963Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2607Issue Tracking
FAQ
What is CVE-2017-2607?
CVE-2017-2607 is a vulnerability with a CVSS score of 4.2 (MEDIUM). jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content ...
How severe is CVE-2017-2607?
CVE-2017-2607 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2607?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.